Law enforcement seized the website selling the NetWire RAT and arrested a Croatian man

An international law enforcement operation seized the infrastructure associated with the NetWire RAT and resulted in the arrest of its administrator.

A coordinated international law enforcement operation resulted in the seizure of the infrastructure associated with the NetWire RAT, the police also arrested its administrator.

Busted! A coordinated #lawenforcement action has taken down the #Netwire Remote Access Trojan infrastructure. Main suspect arrested.#Netwire is a Licensed Commodity RAT offered in underground forums to non-technical users to carry out their own criminal activities.— EC3 (@EC3Europol) March 10, 2023Law enforcement seized the website www.worldwiredlabs[.]com and its alleged administrator, a Croatian national.

The NetWire Remote Access Trojan (RAT) is available for sale on cybercrime forums since 2012, it allows operators to steal sensitive data from the infected systems.

“As part of an international law enforcement effort, federal authorities in Los Angeles this week seized an internet domain that was used to sell computer malware used by cybercriminals to take control of infected computers and steal a wide array of information.” reads the press release published DoJ. “A seizure warrant approved by a United States Magistrate Judge on March 3 and executed on Tuesday led to the seizure of, which offered the NetWire remote access trojan (RAT), a sophisticated program capable of targeting and infecting every major computer operating system.”

While the defendant has yet to reveal the name of the man, the popular investigator Brian Krebs identified Mario Zanko as the owner of the site.

“While the defendant in this case hasn’t yet been named publicly, the NetWire website has been leaking information about the likely true identity and location of its owner for the past 11 years.” reads the post published by Brian Krebs. “According to, printschoolmedia[.]org was registered to a Mario Zanko in Zapresic, Croatia, and to the email address DomainTools further shows this email address was used to register one other domain in 2012: wwlabshosting[.]com, also registered to Mario Zanko from Croatia.”

NetWire RAT is a cross-platform remote access trojan (RAT) that can infect Windows, macOS, or Linux systems.

The U.S. Department of Justice revealed that the FBI launched an investigation into the malware operation in 2020.

Undercover investigators created an account on the website used to sell the malware, paid for a subscription plan, and “constructed a customized instance of the NetWire RAT using the product’s Builder Tool,” according to the affidavit in support of the seizure warrant.

“By removing the Netwire RAT, the FBI has impacted the criminal cyber ecosystem,” said Donald Alway, the Assistant Director in Charge of the FBI’s Los Angeles Field Office. “The global partnership that led to the arrest in Croatia also removed a popular tool used to hijack computers in order to perpetuate global fraud, data breaches and network intrusions by threat groups and cyber criminals.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NetWire RAT)
The post Law enforcement seized the website selling the NetWire RAT and arrested a Croatian man appeared first on Security Affairs.